Disable JSON End Points for woocommerce

Hi there,

Add the appropriate namespace to wp-cerber -> dashboard -> [tab] hardering -> [section at the bottom of the page] Access To WordPress REST API -> [form] Allow these namespaces

It should help. You can find more info click here.

PS If this doesn’t help, try adding a new role “Customer” to “Allow REST API for these roles” as well. It’s also in “Access To WordPress REST API”.

hhh

hello, my question was when I paste this url /wp-json/wc/store/products/ with my site, a XML page opens with all my woocommerce products details. I want a 404 or any other 403, page to open instead of this XML output. How can I do this via wp-cerber. Much like wc/users/v1…. not remembering full URL for json… for this url, Cerber displays a 403 page with a ? hand.

I want similar hand for /wp-json/wc/store/products/.

?????????

• This reply was modified 1 year, 1 month ago by ashishtiwari27.

Also, what namespace should I use for this?

is that wc?

See this screenshot of my wp-cerber settings. But https://www.mysite.com/wp-json/wc/store/products/ is still displaying XML page of products.

https://ibb.co/Bzg1vwm

mysite url is dummy

If I understand correctly, you want to block access to this link [/wp-json/wc/store/products/] so that there is a 403 or 404 message? You don’t have to do this in WP-Cerber. Try adding something like this to the .htaccess file.

RewriteEngine On 
RewriteRule ^wp-json/wc/store/products/$ - [R=404,L]

Let me know if it helped.

You understand correctly.

I have solved this with the help of wp-code plugin. Add

add_filter(
‘rest_authentication_errors’,
function ( $access ) {
return new WP_Error(
‘rest_disabled’,
__( ‘The WordPress REST API has been disabled.’ ),
array(
‘status’ => rest_authorization_required_code(),
)
);
}
);

And check, if not Administrator. It works.

But can you add some code in it – to redirect the user to 404 page…? Before closing this thread.

Also, you must provide this in wp-cerber hardening section.

I’ll also try your method. Will editor be blocked or not?

I will inform you then.

Hello, your htaccess code is not working. I checked it in all locations e.g. root folder, and wp-content folder. Not working anywhere.

I don’t know what you’re doing on your server, but the previous code works 100% for me. I have prepared two more codes that you can use to solve your problem (use only one at a time). The first one is this, and you can paste it into the .htaccess file in the public_html, htdocs, or any other main folder for the site you are using.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wc/store/products/
RewriteRule .* - [R=404,L]
</IfModule>

The next code you need to paste into the functions.php file in the theme folder (preferably at the very bottom). Remember to use a child theme, as your code may disappear after an update.

function disable_wc_endpoint() {
    $current_url = $_SERVER['REQUEST_URI'];
    if (strpos($current_url, '/wp-json/wc/store/products/') !== false) {
        wp_redirect(home_url('/404.php'));
        exit;
    }
}
add_action('rest_api_init', 'disable_wc_endpoint');

In here /404.php put the link to your 404 error page.

BTW, please write questions and answers in one message, as it gets chaotic.

• This reply was modified 1 year, 1 month ago by niezmywalny.

Yes, this .htaccess code is working fine for me. I request you to pls reply to my question – Now Admin is also blocked from seeing this URL, can this affect any backend processes like editor not working, any issues in saving page/posts, add a woocommerce product in backend or in frontend users not able to see any products or paging…..etc, I mean any impact this .htaccess code has on admin backend/frontend?

And thank you so much for assisting me and devoting your time for the thread. cheers. Now I disabled that wp-code snippet in my site.

Any attacker’s GET/PUT request should be mitigated now!

I believe everyone currently has no access. If you need to grant someone access via IP to /wp-json/wc/store/products/, please following this way:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^8\.8\.8\.8$ 
RewriteCond %{REQUEST_URI} ^/wp-json/wc/store/products/
RewriteRule .* - [R=404,L]
</IfModule>

Of course here !^8\.8\.8\.8$ enter admin IP address.

BTW. No worries! We are here to help each other. ??

Can you modify this code for allowing Google and yandex bots only to access this URL? Or no need of it. I’ll add other bots which I want later on.

However, there is no need to add admin ip in this, as all editor and post types are working.

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REMOTE_ADDR} !^8\.8\.8\.8$ RewriteCond %{REQUEST_URI} ^/wp-json/wc/store/products/ RewriteRule .* - [R=404,L] </IfModule>

Can I override RewriteRule .* – [R=404,L], to show Cerber’s 403 ? hand page instead of this 404?